United States: Cybersecurity Considerations In The Time Of COVID-19

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) held a stakeholder security briefing that led to an alert (CISA Alert) issued on March 13, 2020. The CISA Alert encourages all businesses to implement a heightened state of cybersecurity in the course of establishing remote work options (i.e., telework).

CISA's director, Chris Krebs, related concern about the impending reliance on telework and emphasized enterprises to consider VPN security guidance. Director Krebs also urged the private sector workforce to be on the alert for Covid-19 phishing scams and related apprehension about misinformation circulating. Director Krebs urged businesses to take care to verify claims before relying on information on social media. CISA welcomes reports of phishing scams.

Remote Operating Guidance & Phishing Scams for All Businesses

The CISA Alert urges IT managers and executives to remind employees of the hazards related to phishing emails that have become and are becoming more sophisticated and difficult to spot. The CISA Alert advised that reports of phishing emails during the COVID-19 pandemic have included:

• Emails that appear to have been sent by the World Health Organization or related governmental organization or health organization;
• Counterfeit purchase orders for face masks or other health or medical supplies applicable to COVID-19;
• Fake emails requesting "remote workplace testing" that may procure login details or other authentication information; and
• Requests for donations that appear to be sent from bona fide relief organizations or related health organizations.

Related cybersecurity issues that the CISA Alert urges IT managers and executives to be mindful of include the following potential risks:

• Working on unsecured personal devices at home;
• Transferring company information using personal email accounts such as the risks associated with emailing company files by employees to themselves;
• Use of personal cloud storage accounts;
• Bringing home company documents and risks of theft from car, etc.;
• Use of unsecure connections from home; and
• Use of unsecure conference call lines.

To mitigate the foregoing potential risks, CISA encourages businesses to review the following recommendations when considering alternate workplace options:

• Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and security configurations.¹
• Alert employees to an expected increase in phishing attempts.²
• Alert IT security personnel to bolster remote access cybersecurity tasks.³
• Implement multi-factor authentication (MFA) on all VPN connections to increase security (or at least require rigorous passwords).⁴
• Alert IT security personnel to test VPN limits to prepare for mass usage to determine if modifications are required such as to create priority for those who may require higher bandwidths.
• Contact CISA to report incidents, phishing, malware, and other cybersecurity concerns

The CISA Alert reminds employers and business that a phishing attack can be successful if just one employee opens a fraudulent link or attachment. To reduce risk, CISA recommends email alerts, training via webinar or teleconference and phishing tests.

If your company is implementing its business continuity plan (BCP), educate your employees of any changes to business practices that are called for in your BCP. If your business does not have a BCP in place or your BCP does not contemplate the current circumstances, distribute information to your employees to alert them to procedures you intend to follow, including:

• Identify the people in your organization from whom they can expect to receive updates regarding business operations, changes in procedure, urgent announcements, or notices regarding IT matters (including announcements of any software installations or downloads).
• Create a central online repository where employees can find the most current information about altered business practices.
• Establish points of contact for receiving and processing questions from employees to maintain consistent and accurate communications.
• Provide a readily accessible directory of all key internal contacts for IT support and HR functions.
• Designate personnel who will be tasked with coordinating, reviewing and approving external requests such as those that appear to be from customers or vendors seeking a variance on established business practices.

Keeping employees informed will prepare them to identify bad actors. Advise employees of the steps they should take to report suspicious activity and whom they should alert if they may have inadvertently responded to a phishing attack or if confidential information may have been compromised.

Additionally, if your company is implementing its BCP and will be making changes to customary business practices, alert business partners or customers (as applicable) of relevant changes in accordance with contractual notice obligations and procedures. Establish clarity with business partners and customer as to who will be principal points of contact while the BCP is in effect. Also consider whether force majeure clauses have been triggered and determine whether notice may be required pursuant to such provisions. To the extent mitigation efforts are undertaken, define and communicate what steps will be taken and where business partners or customers may turn for additional information. Ensure stakeholders are aware such measures have been implemented and are informed of names and contact information of counterparts with whom they may interface to help personnel avoid being misled by scam communications.

If your company has an incident response plan (IRP) to address actual or suspected data security breaches, review it now and ensure that personnel tasked with responsibility under the IRP are reminded of their roles and obligations. Update the plan, if necessary, and consider holding a brief tabletop exercise to bring together the incident response team to review the steps to be taken should a data breach occur. If your IRP has not identified all internal and external stakeholders who may need to be notified in the event of a data breach, develop this list and designate the applicable decision makers who will have authority to determine whether notice is required and, if so, what such notice should say. To the extent template notices do not already exist, prepare drafts that are customized for each applicable recipient (e.g., insurers, consumers, law enforcement, business partners, etc.).

Finally, a number of industry regulators have published statements or notices indicating that they will exhibit leniency in connection with the enforcement of certain security rules during this time; particularly in connection with the utilization of telehealth and telework arrangements. Although some regulators may be more lenient, companies should be aware that bad actors are taking advantage of recent events and remain vigilant in their cybersecurity practices.

Footnotes

1. See CISA Tips Understanding Patches and Securing Network Infrastructure Devices.

2. See CISA Tip Avoiding Social Engineering and Phishing Attacks.

3. Per the National Institute of Standards and Technology (NIST) Special Publication 800-46 v.2, Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security, these tasks should be documented in the configuration management policy.

4. See CISA Tips Choosing and Protecting Passwords and Supplementing Passwords for more information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.